Monday, December 20, 2010

Facebook Security: Malware Analysis

Thanks to CeSeNA group and to Luca Mella (one of the organizers of CeSeNA), I found out a nice example (in terms of ... "a didactical one" ) of Malware (keylogger) which explains how attackers might use social networks to spread new generation of Malware.

Everything starts from a friend who sends to you a link. In the specific case the link was: http://www.facebook.com/l.php?u=www.acoplasticos.org%2Fcrm. Opening the link a nice trap asks to click on a "button" which executes a fake image. (An executable file) called: image96523489.exe .

If the attacked user clicks on it, it executes 2 processes: The current Browser (in a safe mode) and a backgrounded program called vnsvc32.exe, which is the actual real Malware.

The first action performed by vnsvc32.exe is to copy itself and other two files on the "private win" folders: C:\windows\nvsvc32.exe, C:\windows\wibrf.jpg and C:\windows\wiybr.png.

It adds AutoStart registry's entries in: machine\software\microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = c:\windows\nvsvc32.exe, in machine\software\microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = c:\windows\nvsvc32.exe, in machine\system\CurrentControlSet\Services\wuauserv\Start = 04000000 and in other secondary location.
It changes internet explorer entries such as: software\microsoft\internet explorer\main, user\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000 and user\current\software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = c:\windows\nvsvc32.exe.

Some DNS queries:

Query DNS: astro.ic.ac.uk
Query DNS: ale.pakibili.com
Query DNS: versatek.com
Query DNS: journalofaccountancy.com
Query DNS: transnationale.org
Query DNS: browseusers.myspace.com
Query DNS: mas.0730ip.com
Query DNS: www.myspace.com
Query DNS: ds.phoenix-cc.net
Query DNS: stayontime.info
Query DNS: www.shearman.com
Query DNS: insidehighered.com
Query DNS: ate.lacoctelera.net
Query DNS: websitetrafficspy.com
Query DNS: qun.51.com
Query DNS: x.myspacecdn.com
Query DNS: www.facebook.com
Query DNS: summer-uni-sw.eesp.ch
Query DNS: shopstyle.com
Query DNS: xxx.stopklatka.pl
Query DNS: xxx.stopklatka.pl.localdomain


And of course internet connections.

Connects to "63.135.80.224" on port 80 (TCP - HTTP).
Connects to "63.135.80.46" on port 80 (TCP - HTTP).
Connects to "46.40.191.11" on port 80 (TCP - HTTP).
Connects to "66.220.158.18" on port 80 (TCP - HTTP).
Connects to "174.37.200.82" on port 80 (TCP - HTTP).

From those address the Malware downloads the actual core of the malware (also known as payload) coping it over different processes and folders on the attacked machine. But this is not really interesting.

Connects to "205.234.253.15" on port 1234 (TCP).
This action seems to be much more interesting. By opening-it, using a normal web browser we see t non "over HTTP" communication.



Analyzing the communication layer and querying the DNS authority, it comes out the used communication protocol: FTP.



The use of an FTP is often related to a keylogger activity. First it injects DLLs into processes and then it uploads the stored passwd and/or cookies into the FTP. In fact it injects C:\windows\ndl.dll into several programs including Explorer, Office, Outlook, etc. It injects cookies: C:\Documents and Settings\Administrator\Cookies\administrator@facebook[1].txt, C:\Documents and Settings\Administrator\Cookies\administrator@myspace[2].txt, and C:\Documents and Settings\Administrator\Cookies\administrator@www.myspace[1].txt and it creates new system services. Every 10 minutes it uploads a file colled _session_.txt to the FTP server.

This is a classic example of how social medias could be used to spread Malware. First the attacker asks your friendship ... most of the time if a nice girl or a good looking man that you probably might have known in some places, but you do not remember at all, asks your friendship you give it. Probably for kindness or to be sure to don't be an ass hole. Second, after the attacker is in your friendship community he waits some time just to mitigate the friendship. After time he sends to you a link, by creating a private message or posting on your wall or just adding a news feed. You do not remember who is him but since he's in your friendship area you trust him. Here comes the real trick. You didn't remember him when he asked your friendship, and probably if immediately after his request he would sent to you a link you probably did not trust him. But after some time you forgot that you didn't trust him. So you trust him because you assume that who is in your friendship network is a friend and for such a reason trusted. You open the link and you become infected.

Yes, keylogging activity is complicated. You need to hack several websites in order to upload the payload and the malware, you need to hack an FTP server, you need to write a good payload that antivirus don't detect, you need to force and to spread everything around the world.. I mean it's a job ! But all the technology falls down if compared to social engineering techniques. Most of the time Social Engineering is the most powerful attacker's weapon. Protecting from it means protecting from most of the complicated and mad attacking technology.


Following a detailed report on the Malware:

[ General information ]
* File name: c:\documents and settings\administrator\desktop\image96523489.exe
* File length: 65024 bytes
* File signature: Microsoft Visual C++ 7.0
* MD5 hash: 085ecb8b600c3b4b105674ed27cdcbaf
* SHA1 hash: 5c20fe20a5f0a86d1b0455f8d20299dfe583b30b
* SHA256 hash: f2a17d30d9e921fdc9e0d7f927f20c8820869552d8ba1cfa5f7fbc68d64f970a

[ Changes to filesystem ]
* Creates file C:\windows\ndl.dl
* Creates file (hidden) C:\windows\nvsvc32.exe
* Creates file (hidden) C:\windows\wibrf.jpg
* Creates file (hidden) C:\windows\wiybr.png
* Creates file C:\Documents and Settings\Administrator\Cookies\administrator@facebook[1].txt
* Creates file C:\Documents and Settings\Administrator\Cookies\administrator@myspace[2].txt
* Creates file C:\Documents and Settings\Administrator\Cookies\administrator@www.myspace[1].txt
* Creates file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010121320101220\index.dat
* Creates file C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012010122020101221\index.dat
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F7YBJYVW\bg_browserSection[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F7YBJYVW\browserunsupported[1].htm
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRQBGGX3\icon_information[1].gif
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JRQBGGX3\index[4].htm
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LPI195Q5\bg_infobox[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LPI195Q5\browserLogos_med[1].jpg
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZQFMUB46\cornersSheet[1].png

[ Changes to registry ]
* Creates value "FileTracingMask=0000FFFF" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "ConsoleTracingMask=0000FFFF" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "MaxFileSize=00001000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\FWCFG
* Creates value "NVIDIA driver monitor=c:\windows\nvsvc32.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Creates value "NVIDIA driver monitor=c:\windows\nvsvc32.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
* Creates value "LogSessionName=7300740064006F00750074000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value "Active=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value "ControlFlags=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
* Creates value "Guid=710adbf0-ce88-40b4-a50d-231ada6593f0" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
* Creates value "BitNames= NAP_TRACE_BASE NAP_TRACE_NETSH" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
* Creates value "LogSessionName=7300740064006F00750074000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value "Active=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value "ControlFlags=01000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
* Creates value "Guid=b0278a28-76f1-4e15-b1df-14b209a12613" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
* Creates value "BitNames= Error Unusual Info Debug" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
* Creates Registry key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\napagent\LocalConfig\UI
* Creates value "image96523489.exe=c:\windows\nvsvc32.exe:*:Enabled:NVIDIA driver monitor" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Desktop
* Modifies value "Start=00000004" in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\wuauserv
old value "Start=00000002"
* Modifies value "Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF62000000920000005903000041030000" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
old value "Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA00000000000000097030000AF020000"
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
* Modifies value "HRZR_PGYFRFFVBA=10015D0E14000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
old value "HRZR_PGYFRFFVBA=FDED5C0E13000000"
* Modifies value "Count=00000010" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
old value "Count=0000000F"
* Modifies value "Time=DA070C000100140008002A0022006C00" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
old value "Time=DA070C0005001100070037003000A802"
* Modifies value "Count=00000010" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
old value "Count=0000000F"
* Modifies value "Time=DA070C000100140008002A0022007C00" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
old value "Time=DA070C0005001100070037003000A802"
* Creates value "CachePath=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310030003100320031003300320030003100300031003200320030005C000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value "CachePrefix=:2010121320101220: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value "CacheLimit=00200000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Creates value "CacheOptions=0B000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121320101220
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121420101215
* Deletes Registry key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010121620101217
* Creates value "CachePath=25005500530045005200500052004F00460049004C00450025005C004C006F00630061006C002000530065007400740069006E00670073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310030003100320032003000320030003100300031003200320031005C000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value "CachePrefix=:2010122020101221: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value "CacheLimit=00200000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Creates value "CacheOptions=0B000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010122020101221
* Modifies value "SavedLegacySettings=3C00000020000000010000000000000000000000000000000400000000000000A0C4FAAF62D0CA0101000000AC10268B0000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C0000001E000000010000000000000000000000000000000400000000000000A0C4FAAF62D0CA0101000000AC10268B0000000000000000"
* Creates value "NVIDIA driver monitor=c:\windows\nvsvc32.exe" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
* Modifies value "MRUListEx=02000000010000000800000016000000170000000F0000000D0000001500000014000000130000001200000010000000110000000300000000000000050000000E0000000C0000000B0000000A00000009000000070000000600000004000000FFFFFFFF" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\BagMRU
old value "MRUListEx=01000000020000000800000016000000170000000F0000000D0000001500000014000000130000001200000010000000110000000300000000000000050000000E0000000C0000000B0000000A00000009000000070000000600000004000000FFFFFFFF"
* Modifies value "WinPos1286x734(1).left=00000062" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value "WinPos1286x734(1).left=000000A0"
* Modifies value "WinPos1286x734(1).top=00000092" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value empty
* Modifies value "WinPos1286x734(1).right=00000359" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value "WinPos1286x734(1).right=00000397"
* Modifies value "WinPos1286x734(1).bottom=00000341" in key HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell
old value "WinPos1286x734(1).bottom=000002AF"
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Network services ]
* Looks for an Internet connection.
* Backdoor functionality on port 0.
* Queries DNS astro.ic.ac.uk
* Queries DNS ale.pakibili.com
* Queries DNS versatek.com
* Queries DNS journalofaccountancy.com
* Queries DNS transnationale.org
* Queries DNS browseusers.myspace.com
* Queries DNS mas.0730ip.com
* Queries DNS www.myspace.com
* Queries DNS ds.phoenix-cc.net
* Queries DNS stayontime.info
* Queries DNS www.shearman.com
* Queries DNS insidehighered.com
* Queries DNS ate.lacoctelera.net
* Queries DNS websitetrafficspy.com
* Queries DNS qun.51.com
* Queries DNS x.myspacecdn.com
* Queries DNS www.facebook.com
* Queries DNS summer-uni-sw.eesp.ch
* Queries DNS shopstyle.com
* Queries DNS xxx.stopklatka.pl
* Queries DNS xxx.stopklatka.pl.localdomain
* Connects to "63.135.80.224" on port 80 (TCP - HTTP).
* Connects to "63.135.80.46" on port 80 (TCP - HTTP).
* Connects to "205.234.253.15" on port 1234 (TCP).
* Connects to "46.40.191.11" on port 80 (TCP - HTTP).
* Connects to "66.220.158.18" on port 80 (TCP - HTTP).
* Connects to "174.37.200.82" on port 80 (TCP - HTTP).
* Opens next URLs:
http://174.37.200.82/index.php

[ Process/window information ]
* Keylogger functionality.
* Creates process "(null),net stop ,(null)".
* Injects code into process "net.exe".
* Creates a mutex "SHIMLIB_LOG_MUTEX".
* Creates an event named "DINPUTWINMM".
* Creates an event named "Global\userenv: User Profile setup event".
* Creates process "(null),net1 stop ,(null)".
* Injects code into process "net1.exe".
* Creates process "(null),C:\Documents and Settings\Administrator\Desktop\image96523489.exe,(null)".
* Injects code into process "image96523489.exe".
* Creates an event named "Global\crypt32LogoffEvent".
* Creates a mutex "Nvidia Drive Mon".
* Creates a mutex "_!MSFTHISTORY!_".
* Creates a mutex "c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!".
* Creates a mutex "c:!documents and settings!administrator!cookies!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!".
* Creates process "(null),netsh firewall add allowedprogram 1.exe 1 ENABLE,(null)".
* Creates process "c:\windows\nvsvc32.exe,(null),c:\windows".
* Creates process "(null),explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx,(null)".
* Injects code into process "explorer.exe".
* Opens a service named "ShellHWDetection".
* Creates process "(null),C:\windows\nvsvc32.exe,(null)".
* Injects code into process "nvsvc32.exe".
* Injects code into process "iexplore.exe".
* Creates a mutex "Shell.CMruPidlList".
* Creates process "(null),net stop wuauserv,(null)".
* Creates a mutex "RasPbFile".
* Creates a mutex "ZonesCounterMutex".
* Creates a mutex "ZonesCacheCounterMutex".
* Creates a mutex "ZonesLockedCacheCounterMutex".
* Creates a mutex "oleacc-msaa-loaded".
* Creates process "(null),net stop MsMpSvc,(null)".
* Enumerates running processes.
* Creates process "(null),sc config wuauserv start= disabled,(null)".
* Opens a service named "RASMAN".
* Creates process "(null),sc config MsMpSvc start= disabled,(null)".
* Injects code into process "sc.exe".
* Creates process "(null),net1 stop wuauserv,(null)".
* Creates process "(null),net1 stop MsMpSvc,(null)".
* Opens a service named "wuauserv".
* Opens a service named "MsMpSvc".
* Lists all entry names in a remote access phone book.
* Injects code into process "netsh.exe".
* Creates a mutex "CTF.LBES.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.Compart.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.Asm.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.Layouts.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Creates a mutex "CTF.TMD.MutexDefaultS-1-5-21-1078081533-1677128483-1801674531-500".
* Opens a service named "NapAgent".
* Creates a mutex "_!SHMSFTHISTORY!_".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121420101215!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121320101220!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010121620101217!".
* Creates a mutex "c:!documents and settings!administrator!local settings!history!history.ie5!mshist012010122020101221!".
* Creates a mutex "HGFSMUTEX".
* Opens a service named "WebClient".
* Creates a mutex "Global\winlogon: Logon UserProfileMapping Mutex".
* Creates a mutex "_SHuassist.mtx".
* Opens a service named "AudioSrv".
* Creates a mutex "MidiMapper_modLongMessage_RefCnt".
* Creates a mutex "MidiMapper_Configure".

5 comments:

Anonymous said...

how can i make it out?

Marco Ramilli said...

Hi Anonymous, what do you mean ?

niki8613 said...

i got this virus,,what should I do? How can I get rid of it? Do I have to follow your instructions above?

Marco Ramilli said...

Hi niki, did you try with normal AVs ? From my analysis it seems a really "normal" keylogger; PC-Tool free AV (threatfire: http://www.threatfire.com/) shouldn't have problem in detecting it. Another good one is Avira Free ( http://www.free-av.com/ ). if they did catch it, you should delete the at least the files listed into [Changes to filesystem] section of the above report.

I hope to have been useful

niki8613 said...

thx a lot for yr help.